Analysis
-
max time kernel
160s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-02-2022 07:14
Static task
static1
Behavioral task
behavioral1
Sample
0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe
Resource
win10v2004-en-20220113
General
-
Target
0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe
-
Size
192KB
-
MD5
08d1e60242ba9855a89bc44900bd16d5
-
SHA1
5778926763f5913a2c094c047744a8f109a103d6
-
SHA256
0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a
-
SHA512
8c8bacdafbb56d4395259e63359e24ff01c4261c2a7bfe95c3e9605054fd41c932b3253ab11c45a988ef6fb24bf824d27d661fc91e3d44b4c2fa49918ae9d3e6
Malware Config
Signatures
-
Sakula Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe family_sakula -
Executes dropped EXE 1 IoCs
Processes:
MediaCenter.exepid process 1932 MediaCenter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe" 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exe0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3952 svchost.exe Token: SeCreatePagefilePrivilege 3952 svchost.exe Token: SeShutdownPrivilege 3952 svchost.exe Token: SeCreatePagefilePrivilege 3952 svchost.exe Token: SeShutdownPrivilege 3952 svchost.exe Token: SeCreatePagefilePrivilege 3952 svchost.exe Token: SeIncBasePriorityPrivilege 760 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe Token: SeBackupPrivilege 4172 TiWorker.exe Token: SeRestorePrivilege 4172 TiWorker.exe Token: SeSecurityPrivilege 4172 TiWorker.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.execmd.exedescription pid process target process PID 760 wrote to memory of 1932 760 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe MediaCenter.exe PID 760 wrote to memory of 1932 760 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe MediaCenter.exe PID 760 wrote to memory of 1932 760 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe MediaCenter.exe PID 760 wrote to memory of 3716 760 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe cmd.exe PID 760 wrote to memory of 3716 760 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe cmd.exe PID 760 wrote to memory of 3716 760 0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe cmd.exe PID 3716 wrote to memory of 408 3716 cmd.exe PING.EXE PID 3716 wrote to memory of 408 3716 cmd.exe PING.EXE PID 3716 wrote to memory of 408 3716 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe"C:\Users\Admin\AppData\Local\Temp\0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exeC:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe2⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\0e262dbe8c1c1590bfa9e623a31cc5e75b52855c93d594f3f13bf336b2f9048a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
81e6ce45cee9f4eda07ab008489ff4e8
SHA19e89c70cbd9b8f6704dfc4f9d31d3ee6eb3e005e
SHA2566dd828da9afa7f04d1ccbda0f1902796b927049d41e6d66588f61ab3a5816fb0
SHA5127c5d0b5a650722904529122a653b31e2492f46a08a63602f61eafcfbb5690e09d75d84f4418dcffebef31c865d6487acc093119099d2be9a7594b6bce8ac41bb
-
MD5
81e6ce45cee9f4eda07ab008489ff4e8
SHA19e89c70cbd9b8f6704dfc4f9d31d3ee6eb3e005e
SHA2566dd828da9afa7f04d1ccbda0f1902796b927049d41e6d66588f61ab3a5816fb0
SHA5127c5d0b5a650722904529122a653b31e2492f46a08a63602f61eafcfbb5690e09d75d84f4418dcffebef31c865d6487acc093119099d2be9a7594b6bce8ac41bb